Secure access to a subscription module

ABSTRACT

A method of providing to a client communications device access to a subscription module of a server communications device, the method comprising the steps of establishing a communications link between the client communications device and the server communications device; and communicating a number of messages comprising data related to the subscription module between the server communications device and the client communications device via the communications link. The method further comprises the step of providing integrity protection of the messages communicated between the server communications device and the client communications device via the communications link.

This invention relates to a method of providing to a clientcommunications device access to a subscription module of a servercommunications device. More particular, this invention relates to amethod of providing to a client communications device access to asubscription module of a server communications device, the methodcomprising the steps of establishing a communications link between theclient communications device and the server communications device; andcommunicating a number of messages comprising data related to thesubscription module between the server communications device and theclient communications device via the communications link.

In many wireless communications systems, such as GMS, UTMS, GPRS, etc.,communications devices are equipped with a subscription module, such asa SIM card, a USIM card, or the like. When a subscriber requests acommunication service it is determined, via said subscription module,whether the subscriber is qualified to receive communication servicesfrom that system. For this purpose, a subscriber identity is assigned toa device in a wireless communications system which uses a subscriberidentity media. In order to get access to the communications services,the communications device needs to have access to security sensitiveinformation which is unique to the subscription and which is stored inthe subscription module.

Similarly, other types of authentication or security services, such asWLAN access at hotspots, desktop login or web authentication, may bebased on a subscription module, possibly in combination with GSM/UMTSrelated services.

In the context of the Global System for Mobile Communications (GSM),subscription is based on a SIM (subscriber identity module) card, i.e.the subscription module is implemented as a SIM card attached to amobile device. The SIM card includes a ROM (Read Only Memory), a RAM(Read Access Memory), an EEPROM (Electrically Erasable Programmable ReadOnly Memory), a processor unit and an interface to the communicationsdevice. The memory of the SIM provides storage of the subscriberidentity which is the International Mobile Subscriber Identity (IMSI) ina GSM network. Except for emergency calls, the device can only beoperated, if a valid SIM is present. The SIM supports a securityfunction for verification of the user of the device and forauthentication of the user to the GSM network. The SIM further comprisesinformation elements for GSM network operations, e.g. related to themobile subscriber or GSM services.

In the above described context, if a user would like to use a SIM card,i.e. a single subscription, to connect to a wireless communicationsnetwork from several different personal mobile devices, he or she needsto manually remove the SIM card from one device and put it into anotherdevice. In order to avoid this inconvenient operation it isadvantageous, if the wireless communication system allows more than onecommunications device to share the same subscriber identity withouthaving to pay for more than one subscription.

Similarly, if the user would like to utilise a general purposesubscription module like the SIM or USIM card for authentication orsecurity services other than GSM/UMTS, for example WLAN access, thesubscription module must be manually removed from one device andinserted into the device that is the end-point for that otherauthentication process.

The emerging short-range wireless technologies, such as Bluetooth andwireless LAN, which enable relatively high speed short rangeconnections, have made it possible to simplify the tedious proceduredescribed above.

The international application WO 99/59360 discloses an arrangement forcommunicating SIM related data in a wireless communications systembetween a wireless communications device and a subscriber identitydevice including a subscriber identity unit with a SIM card. Thewireless communications device and the subscriber identity device areseparated from each other, but may communicate with each other via alocal wireless communications link within a radio frequency range. SIMrelated data is communicated over the local wireless communicationslink. Hence the above prior art system allows a simplified sharing of asubscription module by several communications devices. Instead of movingthe SIM card between different mobile devices, direct wireless access tothe SIM card over an air interface is realised. In the above prior art,the local wireless communications link is encrypted in order toestablish a secure wireless communications link that hinders third partyinterception of sensitive information.

The Bluetooth pairing mechanism produces a shared secret, the so-calledlink key, between two Bluetooth devices (see “Baseband Specification” in“Specification of the Bluetooth System, Core, Version 1.1”, BluetoothSpecial Interest Group, February 2001). The link key is derived from aPIN that is entered by the user of the devices. The link key issubsequently used to protect the Bluetooth communication. However, sincethe remote access to a subscription module is particularly securitysensitive, there is a need for increased security, i.e. an improvedprotection of the subscription module against unauthorised access to thesensitive subscription information and services on the module.

Furthermore, the IEEE 802.11 standard offers secure communicationsservices such as authentication and encryption via a wired equivalenceprivacy mechanism (see “IEEE Std 802.11-1999 Edition IEEE-Part 11:Wireless LAN Medium Access Control and physical layer specifications”).However, this mechanism is known to have security weaknesses.

Hence, the above prior art systems involve the problem that thecommunication between the server and client communications device may beintercepted and an established communications link may be taken over bya dishonest user who may misuse the gained access to the subscriptionmodule.

Furthermore, if the local wireless communications link is a link to alocal wireless network, such as a Bluetooth piconet, the link betweenthe client device and the server device may comprise several wirelessconnections involving intermediate devices, thereby causing the securityof the communications link to be difficult to control, even though theindividual communications links may be encrypted. Hence, there is a riskof unauthorised interception and use of sensitive data related to thesubscription module.

Hence, it is an object of the present invention to provide increasedsecurity for remote access of a subscription module.

The above and other problems are solved when a method of providing to aclient communications device access to a subscription module of a servercommunications device, the method comprising the steps of

-   -   establishing a communications link between the client        communications device and the server communications device; and    -   communicating a number of messages comprising data related to        the subscription module between the server communications device        and the client communications device via the communications link        is characterised in that        the method further comprises the step of providing integrity        protection of the messages communicated between the server        communications device and the client communications device via        the communications link.

Consequently, according to the invention an improved security isachieved by authenticating the individual messages sent between theclient and server communications devices. Hence, it is ensured that thecommunicated messages are sent by a legitimate device and that they havenot been altered during transmission over the air interface, therebyproviding improved security against a dishonest user's attempt to takeover a once authenticated communication channel between the devices.

In particular, it is an advantage of the invention that it providesprotection of the interface between the client and server communicationsdevices against active wiretapper attacks.

It is a further advantage of the invention that it does not require atrust relation between the subscription module and the clientcommunications device.

Here, the term integrity protection comprises any method of assuringthat information sent from an originating source is not accidentally ormaliciously altered or destroyed during communication from the source tothe receiver.

In a preferred embodiment of the invention, the step of providingintegrity protection further comprises calculating, based on a secretsession key, a respective message authentication code for each of thecommunicated messages; and including the calculated messageauthentication code into the corresponding communicated message.

Hence, by using a message authentication code (MAC), i.e. a keyedhashing algorithm that uses a symmetric session key, an increasedsecurity is achieved by providing integrity protection for eachindividual message. When using this type of algorithm, the sendingapplication computes a hash function using a secret session key, and thereceiving application needs to posses the same key to re-compute thehash value and, thus, to be able to verify that the transmitted data hasnot changed.

In a preferred embodiment of the invention, the step of establishing acommunications link between the client and server communications devicescomprises determining a secret session key based on a shared secretbetween the server and client communications devices. Hence, byrefreshing the secret hashing key at each new session, reply attacks areavoided, i.e. attempts by a dishonest user to repeat a previouslyintercepted message.

Here, the term shared secret comprises any suitable secret data item,e.g. a secret key, a bit string, or the like, known to the server andthe client communications devices that is suitable as an input for acryptographic algorithm, such as a hash function, a MAC algorithm, apseudo-random function, or the like.

In a further preferred embodiment of the invention, the method furthercomprises providing the shared secret by performing a secure pairingprocedure including receiving a passcode by at least one of the clientcommunications device and the server communications device. Hence, auser friendly security mechanism is provided which does not demand anymore user interaction than is already required when, for example,pairing two Bluetooth devices.

Depending on the method employed, a user may have to enter the passcodein both devices or in one device, e.g. by displaying a PIN code on oneof the devices and requesting the user to enter the PIN in thecorresponding other device.

Furthermore, if the required passcode is short, i.e. less than 7 digitsor letters, the time-consuming task of entering a long passcode isreduced and the possibility of entering an erroneous passcode isreduced. High security may still be achieved by utilising high-securityPIN methods such as the one described in C. Gehrmann and K. Nyberg,“Enhancements to the Bluetooth baseband security”, Proceedings of theNordSec Conference 2001, Nov. 1-2, 2001, DTU Denmark.

In another preferred embodiment, the communications link has a secretlink key related to it and the method further comprises providing theshared secret by calculating the shared secret using the secret link keyas an input.

Hence, existing pairing mechanisms for the set-up of the communicationslink between the server and client devices may be utilised to enhancethe security of the remote access to the subscription module. Forexample, in connection with a Bluetooth communication, the Bluetoothlink key may be utilised to derive the shared secret for integrityprotection. Hence, no additional interaction is required for achievingthe additional security.

In yet another preferred embodiment of the invention, the method furthercomprises

-   -   incorporating a value of a first counter in each of the messages        communicated from the client communications device to the server        communications device, the first counter being indicative of the        number of messages communicated from the client communications        device to the server communications device; and    -   incorporating a value of a second counter in each of the        messages communicated from the server communications device to        the client communications device, the second counter being        indicative of the number of messages communicated from the        server communications device to the client communications        device;        and the step of calculating a respective message authentication        code for each of the communicated messages comprises calculating        a message authentication code for each of the communicated        messages and the corresponding counter value.

Hence, by providing respective counters for the messages communicated toand from the server communications device, the security of thecommunication is further increased. For example, a dishonest user whomay have intercepted a previous message including a request forsensitive information, may attempt to simply repeat this request, inorder to receive the information as a reply. However, by providing amessage counter, the repeated message will be identified as out ofsequence by the server and can, thus, be discarded.

In the above prior art systems, once the client communications device isauthenticated, it may access any function in the subscription module viathe messages sent over the air interface, thereby creating a potentialsecurity risk of unauthorised access.

In a preferred embodiment of the invention, the method further comprisesdetermining, for the messages communicated from the clientcommunications device to the server communications device, whether themessage is authorised to address the subscription module. Hence, afilter mechanism is provided in the server communications device whichallows a selective access control and a mechanism to restrict or limitaccess to the subscription module, thereby increasing the security ofthe subscription module access.

Preferably, the method further comprises providing a shared secretbetween the client communications device and the server communicationsdevice; and providing an access control list stored in the servercommunications device in relation to at least one of the shared secretand the client communications device, thereby providing a mechanism forstoring individual access control lists for different clientcommunications devices in a safe manner. A protected database may, forexample, be implemented by storing the data on a special circuit, byproviding software-based protection, such as encryption, authentication,etc., or a combination thereof.

The communications link may be an electric link or a wirelesscommunications link, such as an electromagnetic, magnetic or inductivelink. Examples of electromagnetic links include, radio-frequency links,optical links, infrared links, microwave links, ultra sound links, orthe like. For example, the communications link may be a radio linkaccording to the Bluetooth standard, i.e. a short-range wirelesstechnology that enables different units to communicate with relativelyhigh speed. Bluetooth as well as other short-range wireless technologiesmake it possible to set up fast connections between different personalcomputing devices like a mobile phone, a Personal Digital Assistance(PDA), etc.

When the communications link is a wireless communications link, a fastway of establishing a communications link is provided without the needof a physical or electrical connection between the devices.

The term communications device comprises any electronic equipmentincluding communications means adapted to establish a communicationslink as described above, or part of such electronic equipment. The termelectronic equipment includes computers, such as stationary and portablePCs, stationary and portable radio communications equipment, etc. Theterm portable radio communications equipment includes mobile radiodevices such as mobile telephones, pagers, communicators, e.g.electronic organisers, smart phones, PDAs, or the like.

The term subscription module comprises modules which may be removablyinserted into a communications device, such as a smart card, a SIM card,a USIM card a wireless identity module (WIM) card, any other suitableintegrated circuit card (ICC), or the like. The term subscription modulefurther comprises modules which are physically inseparable from theserver communications device.

The subscription module may be brought into physical contact with, e.g.inserted in, the server communications device, or a communicationsconnection may be established, e.g. by bringing the subscription moduleinto the range of coverage of a wireless communications interface.

The data communicated between the client and the server communicationsdevice may be data stored in the subscription module. The data may berequired for registering the client communications device in a cellularnetwork, for establishing a communications connection from the clientcommunications device, e.g. a voice, fax, or data call, hereafterreferred to as a “call”, for receiving a call from the network directedto a telephone number associated with the subscription module, forauthorising payments or other transactions, for accessing functionalityor interfaces of the server communications device, or the like. The datamay further comprise subscription authorisation data, e.g. a PIN codeentered by a user of the client communications device and sent to theserver communications device. The data may further comprise addressdata, phone books, or any other sensitive data related to thesubscription module. The communication of data may comprise thetransmission of data from the server communications device to the clientcommunications device and/or the transmission of data from the clientcommunications device to the server communications device. Hence, accessto the subscription module involves access to the data related to thesubscription module, i.e. the transmission of data to the subscriptionmodule, the reception of data from the subscription module, or the like.

The subscription module may be able to authenticate a number ofdifferent client communications devices.

The present invention can be implemented in different ways including themethod described above and in the following, an arrangement, and furthermethods and product means, each yielding one or more of the benefits andadvantages described in connection with the first-mentioned method, andeach having one or more preferred embodiments corresponding to thepreferred embodiments described in connection with the first-mentionedmethod and disclosed in the dependant claims.

It is noted that the features of the method described above and in thefollowing may be implemented in software and carried out in a dataprocessing system or other processing means caused by the execution ofcomputer-executable instructions. The instructions may be program codemeans loaded in a memory, such as a RAM, from a storage medium or fromanother computer via a computer network. Alternatively, the describedfeatures may be implemented by hardwired circuitry instead of softwareor in combination with software.

The invention further relates to a communications system comprising aclient communications device and a server communications deviceincluding a subscription module, the client and server communicationsdevices each comprising respective communications means for establishinga communications link between the client communications device and theserver communications device, and for communicating a number of messagescomprising data related to the subscription module between the servercommunications device and the client communications device via thecommunications link;

characterised in that

the client communications device and the server communications deviceeach comprise respective processing means adapted to provide integrityprotection of the messages communicated between the servercommunications device and the client communications device via thecommunications link.

The invention further relates to a server communications deviceincluding a subscription module, the server communications devicecomprising communications means for establishing a communications linkwith a client communications device, and for communicating a number ofmessages comprising data related to the subscription module between theserver communications device and the client communications device viathe communications link;

characterised in that

the server communications device comprises processing means adapted toprovide integrity protection of the messages communicated between theserver communications device and the client communications device viathe communications link.

The invention further relates to a client communications device forproviding access to a subscription module of a server communicationsdevice, the client communications device comprising communications meansfor establishing a communications link with the server communicationsdevice including the subscription module, and for communicating a numberof messages comprising data related to the subscription module betweenthe client communications device and the server communications devicevia the communications link;

characterised in that

the client communications device comprises processing means adapted toprovide integrity protection of the messages communicated between theclient communications device and the server communications device viathe communications link.

When the server communications device, the communications means of theserver communications device, and the subscription module are physicallyincluded in a single unit, a particularly high level of security isprovided, as the possibility of data interception and misuse is furtherreduced. Advantageously, the server communications device, a wirelessinterface and the subscription module may be implemented as onephysically inseparable entity.

The server communications device may be used as a server device for anumber of different client communications devices using the samesubscription.

The term processing means comprises general- or special-purposeprogrammable microprocessors, Digital Signal Processors (DSP),Application Specific Integrated Circuits (ASIC), Programmable LogicArrays (PLA), Field Programmable Gate Arrays (FPGA), special purposeelectronic circuits, etc., or a combination thereof.

The term storage means includes magnetic tape, optical disc, digitalvideo disk (DVD), compact disc (CD or CD-ROM), mini-disc, hard disk,floppy disk, ferro-electric memory, electrically erasable programmableread only memory (EEPROM), flash memory, EPROM, read only memory (ROM),static random access memory (SRAM), dynamic random access memory (DRAM),synchronous dynamic random access memory (SDRAM), ferromagnetic memory,optical storage, charge coupled devices, smart cards, PCMCIA cards, etc.

The term communications means comprises any circuit adapted to establishthe above mentioned communications link. Examples of such circuitsinclude RF transmitters/receivers, e.g. Bluetooth transceivers, lightemitters/receivers, e.g. LEDs, infrared sensors/emitters, ultrasoundtransducers, etc.

The above prior art systems involve the problem that, when thesubscription module is used for other authentication services inaddition to GSM/UTMS, e.g. for WLAN access, etc., the security of theGSM/UTMS access may be compromised by a the other services.

According to another aspect of the invention, the above problem issolved by a method of providing to a client communications device accessto a subscription module by a server communications device comprisingthe subscription module, the method comprising the steps of

-   -   establishing a communications link between the client        communications device and the server communications device; and    -   receiving a number of messages from the client communications        device by the server communications device via the        communications link, the messages addressing the subscription        module;        characterised in that        the method further comprises the step of determining, for at        least one of the received messages, whether the message is        authorised to address the subscription module.

Hence, a filter mechanism is provided in the server communicationsdevice which allows a selective access control and a mechanism torestrict or limit access to the subscription module, thereby increasingthe security of the subscription module access. Even though the clientcommunications device is authenticated, it is not necessarily authorisedto access all the services provided by the subscription module, therebyincreasing the security. Only those messages from the clientcommunications device addressing functions and/or data on thesubscription module which are authorised by the filter mechanism, areaccepted and forwarded to the subscription module.

According to a preferred embodiment, the method further comprisesproviding integrity protection of the messages communicated between theserver communications device and the client communications device viathe communications link, where the integrity protection is based on ashared secret between the client communications device and the servercommunications device; and providing an access control list stored inthe server communications device in relation to at least one of theshared secret and the client communications device.

Preferably, the access control list is stored in a protected databasethereby providing a mechanism for storing individual access controllists for different client communications devices in a safe manner. Aprotected database may, for example, be implemented by storing the dataon a special circuit, by providing software-based protection, such asencryption, authentication, etc., or a combination thereof.

The invention further relates to a server communications deviceincluding a subscription module, the server communications devicecomprising communications means for establishing a communications linkwith a client communications device, and for receiving a number ofmessages addressing the subscription module from the clientcommunications device via the communications link;

characterised in that

the server communications device comprises processing means fordetermining, for at least one of the received messages, whether themessage is authorised to address the subscription module.

Preferably, the server communications device comprises storage means forstoring an access control list as described above.

The invention will be explained more fully below in connection with apreferred embodiment and with reference to the drawing, in which:

FIG. 1 shows a schematic view of a client communications device and aserver communications device according to an embodiment of theinvention;

FIG. 2 shows a schematic block diagram of a communications systemaccording to an embodiment of the invention illustrating the flow of amessage from the client communications device addressing thesubscription module of a server communications device;

FIG. 3 shows a flow diagram of a secure communications session accordingto an embodiment of the invention;

FIG. 4 shows a flow diagram illustrating the communication of a messagefrom the client to the server communications device;

FIG. 5 shows a flow diagram illustrating the communication of a messagefrom the server to the client communications device;

FIG. 6 shows a flow diagram of a process of generating a shared secretaccording to an embodiment of the invention;

FIG. 7 illustrates a filter mechanism according to an embodiment of theinvention; and

FIG. 8 shows a schematic view of a server communications deviceaccording to an embodiment of the invention.

FIG. 1 shows a schematic view of a client communications device and aserver communications device according to an embodiment of theinvention. The client communications device 106 includes an antenna 113for communicating via a mobile communications network 114, e.g. a GSMnetwork. The client communications device further comprises circuitry107 for controlling the communications device, a storage medium 108, adisplay 111 and a keypad 112, or other user input/output means. Forexample, the client communications device may be a mobile telephone oranother personal communications device, such as a communicator, a PDA, alaptop, a pager, a car phone, or the like. Further examples of a clientcommunications device include a modem, a telefax or othertelecommunications equipment. The storage medium 108 may be a memorysection of a SIM card comprising EPROM, ROM and/or RAM sections.Alternatively, the storage medium may be a another built-in orinsertable memory, such as EEPROM, flash memory, ROM, RAM, etc.

The client communications device further comprises a Bluetoothtransceiver 110. Via the Bluetooth transceiver, a local radio link 115for data transmission can be established between the clientcommunications device and a Bluetooth transceiver 104 of a servercommunications device 101 when the server communications device isbrought into the connection range of the wireless local communication ofthe client communications device, or vice versa. The servercommunications device 101 comprises a processing unit 105 and asubscription module 102. In one embodiment, the subscription module is aSIM card comprising a processing unit, a memory including an EPROMsection, a ROM section and a RAM section and an input/output port.Hence, the server communications device has direct access to asubscription module and is physically connected to it. The servercommunications device may grant the client communications device accessto the services and files of the subscription module 102. For example,the server communications device may be a mobile telephone or otherpersonal communications equipment. Alternatively, the servercommunications device may be a special remote access device which onlyserves as an access server for different client devices. For example,the server communications device may be implemented as a contactlesssmart card, e.g. a smart card with an integrated wireless communicationsinterface such as a short-range radio interface.

Hence, the client communications device 106 may access the services andfiles of the subscription module 102 of the server communications device101, via the radio link 115, and use the access for the connection tothe cellular network 114.

In the above, two general roles have been described: A RemoteAuthentication Access Server (RAA Server) having direct access to thesubscription module, and a Remote Authentication Access Client (RAAClient) obtaining remote access to the subscription module, therebyobtaining access to a number of possible services. Hence, in thefollowing, the client communications device will also be referred to asthe RAA Client and the server communications device will be referred toas the RAA Server. Examples of the functionality, services and datawhich may be accessed by the RAA Client include:

-   -   Register the RAA Client 106 in a cellular network 114 using the        subscription module 102 in the RAA Server 101.    -   The RAA client 106 can access data and services available in the        subscription module 102.    -   The RAA Server 101 may exercise access control on what services        and data can be accessed by a RAA Client 106;    -   Establish a connection (i.e. a voice, fax, or data call),        hereafter referred to as a “call”, from the RAA Client 106 using        the subscription module 102 in the RAA server 101;    -   Receiving a call from the network 114 at the RAA Client 106.

On one hand, from a security point of view, it may be desirable toprovide an end-to-end protection between the RAA client and thesubscription module 102. However, such an end-to-end protection wouldrequire a trust relation between the subscription module and the RAAClient. In many applications such a trust relation is unfeasible. Asmentioned above, the security offered for the communications link 115 bystandard wireless communications protocols, such as Bluetooth, do notprovide sufficient security for the security sensitive subscriptionmodule access. According to the invention, the processing units 105 and107 provide functionality 103 and 109, respectively, for integrityprotection of the messages sent over the communications link 115. Hence,it is ensured that the messages have not be altered during transmissionover the air interface 115, and that the messages were sent from anauthorised device. Preferred embodiments of this functionality will bedescribed in greater detail below. Furthermore, the processing unit 105of the RAA Server provides a filter mechanism 116 adapted to ensure thataccess to the subscription module is only provided to messagesoriginating from an authorised service, as will be described in greaterdetail below.

FIG. 2 shows a schematic block diagram of a communications systemaccording to an embodiment of the invention illustrating the flow of amessage from the client communications device addressing thesubscription module of a server communications device. Thecommunications system comprises a client communications device 206 and aserver communications device 201 including a subscription module 202.

As mentioned above, the remote access to the subscription module by theRAA Client is particularly security sensitive. Consequently, accordingto the invention, each message sent from an application 207 on the RAAClient to the RAA Server is authenticated by adding a messageauthentication code (MAC) to each message between the RAA Client and theRAA server. Hence, the RAA Client comprises an integrity protectionmodule 209 for calculating a MAC value and including the calculated MACvalue into the message. Subsequently, the message is transmitted to theserver communications device by a communications circuit 210 fortransmitting messages via a wireless communications link. In oneembodiment, the communications circuit is a radio transmitter, such as aBluetooth transceiver, implementing the lower levels of a communicationsstack.

The RAA server 201 comprises a corresponding communications circuit 204for receiving the transmitted message. The received message is fed intoan integrity protection module 203 for authenticating the receivedmessage by calculating a MAC value and comparing it to the MAC valuethat was included in the message, as will be described in greater detailbelow. If the authentication fails, the message is rejected; otherwisethe message is forwarded to a server subscription module access module205 which implements a filter mechanism for limiting access to thesubscription module 202 to authorised applications. The serversubscription module access module 205 has access to a protected database208 which comprises identification data and corresponding access controllists for use by the filter mechanism. A preferred embodiment of such afilter mechanism will be described in greater detail below. If themessage is authenticated and if the filter mechanism has granted accessto the subscription module, the message is forwarded to the subscriptionmodule 202 for processing.

If, for example the message comprises a request for data, a responsemessage is returned to the application 207 via the integrity protectioncircuit 203 which calculates a MAC value and includes it into theresponds message. The message is then communicated via communicationscircuits 204 and 210 to the RAA Client where the MAC value is checked bythe integrity protection circuit 209 prior to forwarding the responsemessage to the requesting application 207.

It is noted that the calculation of the MAC codes in the integrityprotection modules 209 and 203 takes the message to be authenticated anda secret key as inputs. Hence, the integrity protection modules 209 and203 have access to a shared secret stored in the RAA client 206 and theRAA server 201, respectively. Preferably, in order to prevent replyattacks, the shared secret is refreshed at each new communicationssession.

It is noted that the integrity protection modules 209 and 203 as well asthe server subscription module access module 205 may be implemented insoftware by suitably programming a general- or special-purposeprogrammable microprocessors, Application Specific Integrated Circuits(ASIC), Programmable Logic Arrays (PLA), Field Programmable Gate Arrays(FPGA), special purpose electronic circuits, etc., or a combinationthereof.

FIG. 3 shows a flow diagram of a secure communications session accordingto an embodiment of the invention. FIG. 3 illustrates the stepsperformed in the client communications device 300 and in the servercommunications device 310, respectively.

In an initial step 301, a communications session over a wirelesscommunications link is initiated including authenticating the twodevices using a suitable short-range wireless authentication mechanism,e.g. via the authentication mechanisms provided by the wirelesscommunications protocol used, such as Bluetooth, IEEE 802.1X, or thelike. Preferably, if present, encryption of the wireless link isswitched on during session set-up.

In step 312, the server communications device 301 generates a randomnumber, RAND, and sends this number to the client communications device300, via the wireless link. The server communications device 301 furtherstores the random number in internal memory 315 for use in thesubsequent steps. The client communications device receives the randomnumber in step 302 and stores it in internal memory 305 for subsequentuse.

In alternative embodiments, the random number may be generated by theclient communications device, instead, or a part of the random numbermay be generated by the client communications device and another partmay be generated by the server communications device. The two randomvalues are then combined to produce the value actually used as input forthe later calculations.

In step 303, the client communications device uses the received randomnumber as one of the input parameters to a pseudo random function ALG1.The second input parameter is a shared secret K_(m) (306) which is knownto both the client and the server communications device. Examples ofmethods for creating the shared secret K_(m) will be described inconnection with FIG. 6. The pseudo random function ALG1 generates asession key K_(s) (307) to be used for the integrity protection of themessages that are subsequently exchanged between the client and servercommunications devices. The algorithm ALG1 may be any suitable methodfor generating pseudo random numbers, preferably an algorithm whichgenerates a random number that is unpredictable or at least not feasibleto predict. An example of such an algorithm is a pseudo random functionbased on a one way hash function such as the HMAC algorithm described inH. Krawczyk, M. Bellare, R. Canetti, “HMAC: Keyed-Hashing for Messageauthentication”, IETF RFC 2104 (obtainable onhttp://www.ieff.org/rfc/rfc2104).

Correspondingly, in step 313, the server communications device uses thegenerated random number RAND (315) as one of the input parameters to thepseudo random function ALG1. The second input parameter is the sharedsecret K_(m) (316) known to both the client and the servercommunications device. As for the client device, the pseudo randomfunction ALG1 generates a session key K_(s) (317) to be used by theserver communications device for the integrity protection of themessages subsequently exchanged between the client and servercommunications devices.

In steps 304 and 314 messages are communicated between the clientcommunications device 300 and the service communications device 310,where each message is integrity protected based on the generated sessionkey K_(s). Authenticated messages directed towards the subscriptionmodule are forwarded by the server communications device to thesubscription module 318, thereby providing to the client communicationsdevice 300 access to the subscription module 318. A method of integrityprotecting the communicated messages will be described in greater detailin connection with FIGS. 4 and 5.

FIG. 4 shows a flow diagram illustrating the communication of a messagefrom the client communications device 300 to the server communicationsdevice 310. Hence, in one embodiment, the steps of FIG. 4 are performedas respective sub-processes of the steps 304 and 314 of FIG. 3.

Initially, in step 401 the value of a counter 410 is included in themessage, and the counter is incremented.

In step 402, in the client communications device a messageauthentication code (MAC) is calculated for the message 411 to be sentand the counter value. The MAC algorithm receives the message 411, thecounter, and the session key K_(s) (307) as inputs. The generation ofthe session key K_(s) as a shared secret between the client and theserver communications devices is described above. The MAC algorithm usedto calculate the MAC may be any suitable MAC algorithm, preferably acryptographically strong MAC algorithm. An example of such a MACalgorithm providing a high level of security is the HMAC algorithm (seee.g. H. Krawczyk, M. Bellare, R. Canetti, “HMAC: Keyed-Hashing forMessage authentication”, IETF RFC 2104, obtainable onhttp://www.ietf.org/rfc/rfc2104). The calculated MAC value is includedin, e.g. appended or prepended to, the message.

In step 403, the resulting message 412 comprising the original messageM, the calculated MAC, and the counter CNT1 is transmitted to the servercommunications device via the wireless link.

In step 404, the server communications device 310 receives the combinedmessage 412 and, in step 405, a MAC value is calculated based on thereceived message M including the counter value CNT1, and the session keyK_(s) (317). The calculated MAC value is compared to the received MACvalue in order to verify the integrity of the message. If the two MACvalues match, the message is accepted, otherwise it is rejected.

In step 406, it is verified whether the received counter value CNT1 hasa valid value given the value of an internal counter 411 maintained bythe server communications device. For example, a counter value may beaccepted, if the received counter value is larger than the internalcounter value and smaller than the internal value plus a predeterminedincrement. If the two counter values do not match the message isrejected; otherwise the message is accepted and the internal counter 411is incremented according to the received counter value.

It is noted that, alternatively, the order of the verification steps 405and 406 may be reversed. In the flow diagram of FIG. 4, this isillustrated by only depicting an overall decision step 407, where themessage is accepted (step 408) only if both the MAC value and thecounter value are successfully verified. In this case the message may beforwarded to the subscription module. Otherwise the message is rejected(step 409). Preferably, access to the subscription module is subject toa further filter mechanism, as will be described below, in order tofurther increase the protection of the subscription module.

FIG. 5 shows a flow diagram illustrating the communication of a messagefrom the server communications device 310 to the client communicationsdevice 301. Hence, the flow of FIG. 5 corresponds to the reverse flow ofFIG. 4:

In step 501 the value of a counter CNT2 (511) is included in themessage, and the counter CNT2 is incremented.

In step 502, in the server communications device a MAC is calculated forthe message 512 to be sent and the counter value CNT2, as describedabove. The MAC algorithm receives the message 512, the counter valueCNT2, and the session key K_(s) (317) as inputs. The calculated MACvalue is included in the message.

In step 503, the resulting message 513 comprising the original messageM, the calculated MAC, and the counter CNT2 is transmitted to the clientcommunications device via the wireless link.

In step 504, the client communications device 301 receives the combinedmessage 513 and, in step 505, the received MAC value verified against aMAC value calculated based on the received message M and the session keyK_(s) (307).

In step 506, it is verified whether the received counter value CNT2 hasa valid value given the value of an internal counter 510 maintained bythe client communications device. If the two counter values do not matchthe message is rejected; otherwise the message is accepted and theinternal counter 510 is incremented according to the received countervalue.

Hence, as illustrated by the overall decision 507, the message isaccepted (step 508) only if both the MAC value and the counter value aresuccessfully verified. Otherwise the message is rejected (step 509).

FIG. 6 shows a flow diagram of a process of generating a shared secretaccording to an embodiment of the invention. According to thisembodiment, the wireless communications link is a Bluetooth link.

In the initial step 601 a Bluetooth pairing is performed between theclient communications device 301 and the server communications device310 (see “Baseband Specification” in “Specification of the BluetoothSystem, Core, Version 1.1”, Bluetooth Special Interest Group, February2001) resulting in a Bluetooth link key shared between the client andthe server communications devices. The link key is derived from a PINthat should be entered by the user(s) of the devices. The link key issubsequently used to produce an encryption key that is used to protectBluetooth communication. The generated link key is stored in internalmemory 606 and 616 of the client and the server communications devices,respectively.

In step 612, the server communications device 301 generates a randomnumber, RAND, and sends this number to the client communications device300, via the wireless link. The server communications device 301 furtherstores the random number in internal memory 615 for use in thesubsequent steps. The client communications device receives the randomnumber in step 602 and stores it in internal memory 605 for subsequentuse.

In step 603, the client communications device uses the received randomnumber as one of the input parameters to a pseudo random function ALG2.The second input parameter is the above link key 606. The pseudo randomfunction ALG2 generates a shared secret K_(m) (306) to be used forgenerating secret session keys according to FIG. 3. The algorithm ALG2may be any suitable method for generating pseudo random numbers,preferably an algorithm which generates a random number which isunpredictable or at least infeasible to predict. An example of such analgorithm is a pseudo random function based on a one way hash functionsuch as the HMAC algorithm described in H. Krawczyk, M. Bellare, R.Canetti, “HMAC: Keyed-Hashing for Message authentication”, IETF RFC 2104(obtainable on http://www.ietf.org/rfc/rfc2104).

Correspondingly, in step 613, the server communications device uses thegenerated random number RAND (615) as one of the input parameters to thepseudo random function ALG2. The second input parameter is the link key616. As for the client device, the pseudo random function ALG2 generatesthe shared secret K_(M) (316).

In step 614, the server communications device stores the informationrelating to the client communications device in a protected database616. In one embodiment, the information comprises an identifieridentifying the client communications device, the shared secret K_(m),and an access control list including the services of the subscriptionmodule which the communications device should be granted access to.Hence, in step 614, the server communications device selects the set ofservices provided by the subscription module that the clientcommunications device or a client application should be allowed toaccess. For example, the set of services may be a default set, a set ofservices selected by the user during, or a set selected accordinganother criterion. By storing these information in a database, a filtermechanism may access this information and provide selective access tothe subscription module. An embodiment of such a filter mechanism willbe described below. Preferably, the database 616 is protected againstunauthorised access, e.g. by storing it in a special protected circuit,by a software protection such as encryption or authentication, or thelike.

It is noted that in alternative embodiments using a communicationsprotocol other than Bluetooth, a corresponding process may be performedusing a shared secret established during an initial pairing procedurebetween the server and client communications devices.

Hence, in the above a method is described for deriving a shared secretfrom a Bluetooth link key or a corresponding key in another protocol.

Alternatively, the shared secret may be obtained in a different way. Forexample, the shared secret K_(m) may be derived from a secure pairingprotocol. The pairing may be performed using a secure key exchangemechanism based on public key certificates, on a user PIN input, or thelike. If a PIN based method is used, the user is requested to enter apassword into at least one of the devices. An example of highly securePIN based methods are described in C. Gehrmann and K. Nyberg:“Enhancements to the Bluetooth Baseband security”, in Proceedings of theNordSec Conference 2001, 1-2 Nov. 2001, DTU, Denmark.

Hence, in the above user-friendly and, at the same time, secure ways ofobtaining a shared secret between the RAA Client and the RAA Server havebeen described.

FIG. 7 illustrates a filter mechanism according to an embodiment of theinvention. FIG. 7 illustrates the steps performed by the servercommunications device upon receipt of a message from the clientcommunications device. The steps 404-406 of receiving the message,verifying a MAC value, and checking a counter, respectively, have beendescribed in connection with FIG. 4. If the received message is accepted(step 407), and if the message attempts to access a service provided bythe subscription module, the message is passed to a server subscriptionmodule application which implements a filter mechanism. In step 701, theserver subscription module application sends a query to the accesscontrol database 616 described in connection with FIG. 6. The querycomprises the ID of the requesting RAA client. In one embodiment, thequery further includes an identification of the requesting clientapplication, thereby providing a more fine-grained access control, assome applications on a given device may obtain other access rights thanother applications on the same device. The database returns thecorresponding list of accepted services for that particular RAA clientto the server subscription module application. In step 702, the serversubscription module application checks whether the requested serviceshould be granted to the requesting client. If so, the RAA clientrequest is forwarded to the subscription module 318 (step 704);otherwise the request is rejected.

Hence, the above filter mechanism protects the subscription moduleagainst unauthorised access by restricting access to the subscriptionmodule. Only selected clients have access to selected services. Inparticular, access to security sensitive functions may be limited whileproviding a wider access to other functions. This is a particularadvantage, if a SIM card is used for other authentication services asGSM/UMTS. In such a scenario, the above method prevents the security ofthe GSM/UMTS access to be compromised by other services.

FIG. 8 shows a schematic view of a modular server communications deviceaccording to an embodiment of the invention. The server communicationsdevice comprises a base module 801 with a subscription module 802. Thebase module 801 provides interfaces 804 and 806 to a user interfacemodule 808 and a radio interface module 805. The user interface mayprovide a display for providing a graphical user interface and/or akeypad, a pointing device, or the like. The radio interface unit maycomprise a radio transmitter/receiver and an aerial for connecting to acellular network, a short-range radio transceiver and/or other wirelessinterfaces. The interfaces 804 and 806 may be implemented as plug-ininterfaces, e.g. using a standard such as USB or the like. Alternative,the interfaces may be contact-free interfaces e.g. based onelectromagnetic radiation, such as infrared or a radio link, e.g. usingthe Bluetooth technology or other short-range wireless communicationstechnologies. The data communication via the interface 804 and/or theinterface 806 may use a proprietary or a standard protocol. For examplethe base module may be implemented as a smart card, e.g. a smart cardhaving an integrated radio interface. In another embodiment, the basemodule may be implemented as a unit providing the interfaces 804 and 806and including a subscription module, e.g. as a removably insertableunit, such as a smart card.

It should be noted that the above-mentioned embodiments illustraterather than limit the invention, and that those skilled in the art willbe able to design many alternative embodiments without departing fromthe scope of the appended claims.

For example, even though the invention has primarily been described inconnection with a Bluetooth wireless communications link, the scope ofthe invention is not restricted to Bluetooth communications. It isunderstood that the invention may also be applied in connection withother communications links between the client and server communicationsdevices. For example the invention may be applied to other wirelesscommunications links, such as an electromagnetic, magnetic or inductivelink. Examples of electromagnetic links include, radio-frequency links,optical links, infrared links, microwave links, ultra sound links, orthe like.

1. A method of providing to a client communications device access to asubscription module of a server communications device, the methodcomprising the steps of: establishing a communications link between theclient communications device and the server communications device; andcommunicating a number of messages (M) comprising data related to thesubscription module between the server communications device and theclient communications device via the communications link; wherein themethod further comprises the step of providing integrity protection ofthe messages communicated between the server communications device andthe client communications device via the communications link.
 2. Themethod according to claim 1, wherein the step of providing integrityprotection further comprises calculating, based on a secret session key,a respective message authentication code for each of the communicatedmessages; and including the calculated message authentication code intothe corresponding communicated message.
 3. The method according to claim2, wherein the step of establishing a communications link between theclient and server communications devices comprises determining a secretsession key based on a shared secret between the server and clientcommunications devices.
 4. The method according to claim 3, wherein themethod further comprises providing the shared secret by performing asecure pairing procedure including receiving a passcode by at least oneof the client communications device and the server communicationsdevice.
 5. The method according to claim 4, wherein the passcode is atthe most 48 bits long.
 6. The method according to claim 3, wherein thecommunications link has a secret link key related to it and the methodfurther comprises providing the shared secret by calculating the sharedsecret using the secret link key as an input.
 7. The method according toany one of claims 2 through 6, wherein the method further comprises:incorporating a value of a first counter in each of the messagescommunicated from the client communications device to the servercommunications device, the first counter being indicative of the numberof messages communicated from the client communications device to theserver communications device; and incorporating a value of a secondcounter in each of the messages communicated from the servercommunications device to the client communications device, the secondcounter being indicative of the number of messages communicated from theserver communications device to the client communications device; andwherein the step of calculating a respective message authentication codefor each of the communicated messages comprises calculating a messageauthentication code for each of the communicated messages and thecorresponding counter value.
 8. The method according to claim 1, whereinthe method further comprises determining, for the messages communicatedfrom the client communications device to the server communicationsdevice, whether the message is authorised to address the subscriptionmodule.
 9. The method according to claim 8, wherein the method furthercomprises: providing a shared secret between the client communicationsdevice and the server communications device; and providing an accesscontrol list stored in the server communications device in relation toat least one of the shared secret and the client communications device.10. A communications system comprising a client communications deviceand a server communications device including a subscription module, theclient and server communications devices each comprising respectivecommunications means for establishing a communications link between theclient communications device and the server communications device, andfor communicating a number of messages comprising data related to thesubscription module between the server communications device and theclient communications device via the communications link; wherein theclient communications device and the server communications device eachcomprise respective processing means adapted to provide integrityprotection of the messages communicated between the servercommunications device and the client communications device via thecommunications link.
 11. A server communications device including asubscription module, the server communications device comprisingcommunications means for establishing a communications link with aclient communications device, and for communicating a number of messagescomprising data related to the subscription module between the servercommunications device and the client communications device via thecommunications link; wherein the server communications device comprisesprocessing means adapted to provide integrity protection of the messagescommunicated between the server communications device and the clientcommunications device via the communications link.
 12. A clientcommunications device for providing access to a subscription module of aserver communications device, the client communications devicecomprising communications means for establishing a communications linkwith the server communications device including the subscription module,and for communicating a number of messages comprising data related tothe subscription module between the client communications device and theserver communications device via the communications link; wherein theclient communications device comprises processing means adapted toprovide integrity protection of the messages communicated between theclient communications device and the server communications device viathe communications link.
 13. A method of providing to a clientcommunications device access to a subscription module by a servercommunications device comprising the subscription module, the methodcomprising the steps of establishing a communications link between theclient communications device and the server communications device;receiving a number of messages from the client communications device bythe server communications device via the communications link, themessages addressing the subscription module; and wherein the methodfurther comprises the step of determining, for at least one of thereceived messages, whether the message is authorised to address thesubscription module.
 14. The method according to claim 13, wherein themethod further comprises providing integrity protection of the messagescommunicated between the server communications device and the clientcommunications device via the communications link, where the integrityprotection is based on a shared secret between the client communicationsdevice and the server communications device; and providing an accesscontrol list stored in the server communications device in relation toat least one of the shared secret and the client communications device.15. The method according to claim 14, wherein the access control list isstored in a protected database.
 16. The method according to claim 14 or15, wherein the method further comprises calculating, based on a secretsession key, a respective message authentication code for each of thecommunicated messages; and including the calculated messageauthentication code into the corresponding communicated message.
 17. Themethod according to claim 16, wherein the step of establishing acommunications link between the client and server communications devicescomprises determining the secret session key based on said shared secretbetween the server and client communications devices.
 18. The methodaccording to claim 17, wherein the method further comprises providingthe shared secret by performing a secure pairing procedure includingreceiving a passcode by at least one of the client communications deviceand the server communications device.
 19. The method according to claim18, wherein the passcode is at the most 48 bits long.
 20. The methodaccording to claim 18, wherein the communications link has a secret linkkey related to it and the method further comprises providing the sharedsecret by calculating the shared secret using the secret link key as aninput.
 21. The method according to claim 14, wherein the method furthercomprises: incorporating a value of a first counter in each of themessages communicated from the client communications device to theserver communications device, the first counter being indicative of thenumber of messages communicated from the client communications device tothe server communications device; incorporating a value of a secondcounter in each of the messages communicated from the servercommunications device to the client communications device, the secondcounter being indicative of the number of messages communicated from theserver communications device to the client communications device; andwherein the step of calculating a respective message authentication codefor each of the communicated messages comprises calculating a messageauthentication code for each of the communicated messages and thecorresponding counter value.
 22. A server communications deviceincluding a subscription module, the server communications devicecomprising communications means for establishing a communications linkwith a client communications device, and for receiving a number ofmessages addressing the subscription module from the clientcommunications device via the communications link; and wherein theserver communications device comprises processing means for determining,for at least one of the received messages, whether the message isauthorised to address the subscription module.